<p>A newly opened window having access back to the originating window could allow basic phishing attacks (the <code>window.opener</code> object is not
<code>null</code> and thus <code>window.opener.location</code> can be set to a malicious website by the opened page).</p>
<p>For instance, an attacker can put a link (say: "http://example.com/mylink") on a popular website that changes, when opened, the original page to
"http://example.com/fake_login". On "http://example.com/fake_login" there is a fake login page which could trick real users to enter their
credentials.</p>
<h2>Ask Yourself Whether</h2>
<ul>
  <li> The application opens untrusted external URL. </li>
</ul>
<p>There is a risk if you answered yes to this question.</p>
<h2>Recommended Secure Coding Practices</h2>
<p>Use <code>noopener</code> to prevent untrusted pages from abusing <code>window.opener</code>.</p>
<h2>Sensitive Code Example</h2>
<pre>
window.open("https://example.com/dangerous"); // Sensitive
</pre>
<h2>Compliant Solution</h2>
<pre>
window.open("https://example.com/dangerous", "WindowName", "noopener");
</pre>
<h2>See</h2>
<ul>
  <li> OWASP - <a href="https://owasp.org/Top10/A05_2021-Security_Misconfiguration/">Top 10 2021 Category A5 - Security Misconfiguration</a> </li>
  <li> <a href="https://owasp.org/www-community/attacks/Reverse_Tabnabbing">Reverse Tabnabbing</a> </li>
  <li> CWE - <a href="https://cwe.mitre.org/data/definitions/1022">CWE-1022 - Use of Web Link to Untrusted Target with window.opener Access</a> </li>
  <li> OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration">Top 10 2017 Category A6 - Security
  Misconfiguration</a> </li>
  <li> <a href="https://mathiasbynens.github.io/rel-noopener/">https://mathiasbynens.github.io/rel-noopener/</a> </li>
</ul>
